Cyber Resilience

CVE-2026-34180

HighUpdated

Published: 09 June 2026

Published
09 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0051 39.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34180 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Openssl Openssl. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Issue summary: Parsing a crafted DER-encoded ASN.1 structure with a primitive element whose content exceeds 2 gigabytes in length may cause a heap buffer over-read on 64-bit Unix and Unix-like platforms. Impact summary: The heap buffer over-read may crash the…

more

application (Denial of Service) or to load into the decoded ASN.1 object contents of memory beyond the end of the input buffer. More typically such ASN.1 elements would instead be truncated. An integer truncation in OpenSSL's ASN.1 decoder causes the content length of an ASN.1 primitive element to be mishandled when it exceeds 2 gigabytes. In the worst case the truncated length is treated as a request to scan the binary content for a terminating zero byte, possibly causing OpenSSL to read either less than or beyond the end of the allocated buffer. Applications that pass attacker-supplied data to d2i_X509(), d2i_PKCS7(), or any other d2i_* decoding function are affected. OpenSSL's own command-line tools are not vulnerable, as data read through the BIO layer is checked before it reaches the affected code. The issue only affects 64-bit Unix and Unix-like platforms; 32-bit platforms and 64-bit Windows are not affected. The FIPS modules in 4.0, 3.6, 3.5, 3.4 and 3.0 are not affected by this issue, as the affected code is outside the OpenSSL FIPS module boundary.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in OpenSSL ASN.1 DER parsing (d2i_* functions) directly enables remote exploitation of public-facing applications via attacker-supplied data such as certificates.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-9076Same product: Openssl Openssl
CVE-2026-28386Same product: Openssl Openssl
CVE-2022-4203Same product: Openssl Openssl
CVE-2026-42771Same product: Openssl Openssl
CVE-2026-45447Same product: Openssl Openssl
CVE-2025-69419Same product: Openssl Openssl
CVE-2026-31790Same product: Openssl Openssl
CVE-2026-31789Same product: Openssl Openssl
CVE-2026-28388Same product: Openssl Openssl
CVE-2026-35188Same product: Openssl Openssl

Affected Assets

openssl
openssl
4.0.0 · 1.0.2 — 1.0.2zq · 1.1.1 — 1.1.1zh · 3.0.0 — 3.0.21

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References